This article explains why Android FortiClient is showing an ‘untrusted certificate’ warning when the FortiClient EMS or VPN gateway has a valid certificate.
Scope
Android FortiClient v7.0.x, v7.2.x:
When FortiClient EMS is already showing ‘All SSL certificates are secure’.
When devices on other platforms (Windows, macOS, iOS) do not show an ‘untrusted certificate’ warning when joining FortiClient EMS, or when connecting to a VPN gateway, only Android devices are showing an ‘untrusted certificate’ warning.
Solution
- Android is very particular about the server being configured properly with the FULL certificate chain and ALL intermediate certificates, more so than other platforms.
- Android devices do not have ALL intermediate certificates and a FULL certificate chain cannot be formed, hence the ‘invalid certificate’ message.
- Android platform itself requires a full certificate chain for a portal/FQDN to be considered as trusted.
To verify, use OpenSSL to query FQDN and the port. For example, fortigate.company.com.au:11443:
$ openssl s_client -showcerts -connect fortigate.company.com.au:11443 CONNECTED(000001C0) depth=0 CN = fortigate.company.com.au verify error:num=20:unable to get local issuer certificate <--------- verify return:1 depth=0 CN = fortigate.company.com.au verify error:num=21:unable to verify the first certificate <--------- verify return:1 depth=0 CN = fortigate.company.com.au verify return:1
If a FQDN has a valid FULL certificate chain:
$ openssl s_client -showcerts random.contoso.com.au:443 CONNECTED(000001B8) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1 verify return:1 depth=0 C = AU, ST = Victoria, L = Port Melbourne, O = Random-company, CN = random.contoso.com.au verify return:1
Other websites to test the certificate chain:
https://www.ssllabs.com/ssltest/
https://www.sslchecker.com/sslchecker
https://www.geocerts.com/ssl-checker
https://www.sslshopper.com/ssl-checker.html
Example output when a FQDN does not have a FULL certificate chain:
In conclusion:
- If an FQDN does not have a full certificate chain, this behavior is expected in the Android platform.
- It is not possible to bypass warning prompt in telemetry if the FortiClient EMS certificate does not have a FULL certificate chain. Android devices must select ‘ALLOW’ to join to EMS.
- To bypass the warning prompt in the VPN, turn off the ‘Enable Invalid Server Certificate Warning’ in the Remote Access profile for Android devices.